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Information Commissioner's Office 


Meeting: Management Board Date: 20 July 2020 
Agenda item: 5.2 Time: 15 minutes 
For decision 


Presenter: James Moss 


Topic: Approach to updating the Regulatory Action Policy (‘RAP’) and 
Statutory Guidance 


Issue: Whether the Board is content for the Statutory Guidance, once 
completed, to go out for public consultation 


Reason for report: - On 16 March 2020, just before the closure of the ICO’s 
offices as a result of the CV19 pandemic and associated ‘lockdown’ a paper was 
presented to informal management board for discussion on revising and 
updating the ICO’s RAP (copy attached as Appendix 1 for reference) 


At that meeting the board gave a steer that they agreed with the proposed 
approach to split the work required to update the RAP into two parts, with the 
parts required by law to be formally consulted upon (the Statutory Guidance) 
to be dealt with separately to the rest of the RAP, but that we should not 
conduct any public consultation at that point given the prevailing public health 
situation. 


We have been progressing this work in the intervening period in line with that 
steer and are now at the point where we believe it appropriate to consider 
conducting the necessary public consultation. A cross office working group has 
been set up to progress the work with the specific work plan as follows: 


OBJECTIVES 


e Revise and update the Statutory Guidance which must include sections 
on 

information notices, 

assessment notices, 

enforcement notices, and 

penalty notices. 
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e To ensure final sign off of the Statutory Guidance internally by xx 2020 

e To undertake full formal consultation of the Statutory Guidance (6 
weeks) and to review and amend following consultation responses 

e To consult with DCMS and Secretary of State on the Statutory Guidance 
followed by Parliamentary consultation and approval 

e To review, consult and publish the updated Regulatory Action Policy 


In respect of overall timescales, the ambition is to reach the stage of 
completion of the work on the Statutory Guidance including the fining model, 
by 1 October and the RAP by 31 December 2020. We consider this schedule to 
be ambitious but achievable provided that we are able to progress to formal 
consultation as set out in this paper. The reason for the proposed backstop of 
31 December is to align with the end of the Brexit transitional period meaning 
that there will be a fully revised and updated RAP and Statutory Guidance 
product available for use and published at the point at which the transition 
period is concluded. 


In line with the steer that the Board gave at that earlier informal session, this 
public consultation will cover the Statutory Guidance element of the current 
RAP but won't cover the other broader contents of the current RAP. 


We are now looking for the Board to support this approach as the overall public 
health position has shifted since the Board last considered this issue, the work 
on updating the RAP has progressed and the question of whether it is now 
appropriate to enter into public consultation is therefore now a live issue which 
should be re-assessed. 


Purpose of report: To decide whether the approach set out above is agreed 
and whether in light of changes since March 2020 whether the Board now 
approves moving to formal public consultation on the Statutory Guidance 
elements of the RAP as soon as the work is ready for that to be done. 


Background: In April 2020, we published a document setting out the ICO’s 
regulatory approach as a pragmatic and proportionate regulator during the 
coronavirus public health emergency. In July 2020 ET reviewed this document 
and agreed an updated approach document (provided at Appendix 2). This will 
be published on the ICO’s website alongside a supporting statement from the 
Commissioner and an FOI blog (expected to be during w.c. 13 July) 


As the pandemic moves towards the recovery phase, we will further update the 
document to ensure that the relevant considerations and proposed changes to 
our regulatory posture can be assessed again at that time. We currently expect 
this to be around October 2020 but will adjust timescales as necessary. 


The relevance of the above to the present paper is that as our wider regulatory 
approach shifts to take account of the wider public mood alongside evolving 


government guidance it is appropriate that matters we had previously put ‘on 
hold’ at the start of the pandemic should now be revisited and their progress 
reassessed. 


Discussion: Any consideration of whether it is an appropriate time to enter 
into public consultation on such fundamental issues is a finely balanced one. 
In favour of entering into consultation as soon as possible is the fact that until 
this process is completed the Statutory Guidance cannot be updated and the 
risks identified in the paper attached at Appendix 1 remain live. Those risks 
increase the longer this work is delayed. On the other side of the equation 
there is a risk that entering into public consultation at a time when many 
public and private sector organisations are still struggling with the impact of 
CV19 may mean they do not have sufficient resources to properly engage with 
the consultation meaning in turn we do not receive the best and most useful 
response enabling us to take account of all relevant views and concerns. Our 
assessment of the situation is that the balance between those two factors has 
now tipped in favour of progressing to consultation as soon as possible as the 
general response to the CV19 pandemic moves from an initial emergency 
response phase to a more stable recovery phase, albeit with many challenges 
remaining. 


The vision for the project to update the RAP and Statutory Guidance has four 
key elements: 


1. To allow staff (internal facing) those we regulate (external facing) and 
Government to clearly understand our approach to regulation and to 
have increased certainty as to likely regulatory outcomes. 

2. To remove any confusion or doubt as to how we work and how we will 
utilise our powers, which is a good in and of itself and also promotes 
greater compliance with the law. 

3. In light of the fast-moving regulatory landscape and the significant 
increases in our powers since the previous iteration of the RAP was 
published to ensure that we are relevant. 

4. To ensure that all the various limbs of the ICO’s work and the various 
statutes that we regulate are covered by an overarching and consistent 
model. 


The Objectives would be to produce the key deliverables in line with the time 
frame set out above, with the overarching objective across all deliverables that 
they be clear, accurate and legally sound: 


e Updated Statutory Guidance 

e Updated Regulatory Action Policy 

e Associated internal and external comms products to socialise and explain 
those documents post consultation and implementation 


Options: 


1. Do Nothing and leave the public consultation ‘on hold’. Benefits - avoids 
the risk of consultation not being effective because interested parties do 
not have sufficient resources to respond. Detriments - the risks inherent 
in not updating the Statutory Guidance cause significant damage to the 
ICO’s ability to conduct its work and to its reputation. 

2. Move forward with the public consultation as soon as possible once the 
relevant documentation is completed. Benefits - the risks set out at 
Appendix 1 are mitigated and the office is able to move forward with the 
revised Statutory Guidance and then move on to working on the rest of 
the wider RAP project. Detriments - the responses to the public 
consultation may not be as detailed or wide ranging as might otherwise 
be obtained were it to be delayed further. 

3. Decide to move forward with public consultation but delay 
commencement to a future date, pushing back completion of the overall 
workplan into 2021. Strikes a mid-point between the benefits and 
detriments on options 1 and 2 but means that we do not comply with the 
proposed revision timetable as set out in the current RAP (see details 
below) 


Recommendations: Option 2 is recommended for the reasons set out 
above, namely that benefits of proceeding outweigh the risks of further delay. 


Next steps: The cross office project group dealing with the Statutory 
Guidance and RAP work will expedite the proposals for the Statutory Guidance 
work and aim to send that out for public consultation as soon as possible with 
a proposed timescale of completion by ist October for the Guidance and by 
31°t December for the RAP, which aligns with statements we have made about 
timing of updates within the current RAP and the IRSP!. 


Resource implications: All necessary resources are already committed and 
in place in the form of a cross office project group which is already working on 
updating the RAP and the statutory guidance. 


Equality, diversity, and inclusion considerations: It is not considered 
that there are any equality and diversity considerations in relation to this 


1 The current RAP itself says that “We will keep this Policy under review and evaluate it 
regularly and at least at the end of the Information Rights Strategic Plan timeline. We will 
update it to reflect any amendments to legislation, including any implementation of an updated 
e-Privacy Regulation, and once the final settlement between the EU and the UK post-Brexit is 
confirmed.” 


The IRSP in turn confirms that it covers the period from April 2017 to March 2021 so the 
publicly stated ‘hard stop’ for the ICO to have reviewed the RAP is by no later than March 
2021. 


report. The public consultation itself may have such considerations but they 
will be assessed and dealt with as part of the consultation process. 


Alignment with values: 


Collaborative - this work engages with the RAP project cross-office group 
which is a collaborative exercise to ensure the work is progressed and is also 
collaborative externally with relevant stakeholders who will engage with and 
respond to the consultation 


Service Focused - progressing this work allows the office to provide an 
improved service to everyone who uses and needs to refer to the Statutory 
Guidance which is a key resource both for colleagues within the organisation 
but also externally for organisations who want clarity and certainty as to the 
ICO’s position on the matters set out within it. 


Link to the Information Rights Strategic Plan: 


Goal #2: Improve standards of information rights practice through clear, 
inspiring, and targeted engagement and influence. 


Goal #5: Enforce the laws we help shape and oversee 
Impact on Risks and Opportunity Register: 


Mitigates Risk 73 - As a rapidly expanding organisation we fail to introduce the 
necessary infrastructure and culture to ensure appropriate compliance with all 
relevant legal and other obligations expected of a modern regulator 


Mitigates Risk 3 - ICO fails to meet expectations when dealing with its 
regulatory action priorities in a timely and effective way; and hence does not 
meet the wide range of expectations of stakeholders. 

Publication considerations: This report can be published internally and 


externally but publication of Appendix 2 should be delayed until the final 
version is published as that document is currently in draft and may change 
after the drafting of this document. 


Author: James Moss, Acting General Counsel 
Consultees: James Dipple-Johnstone, Deputy Commissioner 


List of Annexes: Appendix 1 - 16.03.20 paper on Revising and updating the 
ICO’s Regulatory Action Policy 


Appendix 2 - ICO updated Regulatory Posture document xx.07.20 - IN DRAFT 


Appendix 1 


16.03.20 Paper 


Meeting: Management Board Date: 16 March 2020 
Agenda item: Afternoon session [#] Time: [45 minutes]? 


External publication: No 
Internal publication: No For discussion 


Presenter: James Moss 


Topic: Revising and updating the ICO’s Regulatory Action Policy (“the RAP”). 


Reason for report: To advise Management Board of current issues and serve 
as a basis for discussion 


Background: 


Section 160 of the Data Protection Act 2018 (“DPA”) imposes obligations on 
the Commissioner to issue guidance as to the use of her regulatory powers. It 
also provides the opportunity to go beyond what is strictly required and to 
issue guidance on a wider range of topics 


160 Guidance about regulatory action 


(1) The Commissioner must produce and publish guidance about how the 
Commissioner proposes to exercise the Commissioner's functions in 
connection with— 


(a) information notices, 

(b) assessment notices, 

(c) enforcement notices, and 
(d) penalty notices. 


(2) The Commissioner may produce and publish guidance about how the 
Commissioner proposes to exercise the Commissioner's other functions 
under this Part. 


The current RAP includes not only guidance which is mandated by s.160(1) but 
also additional guidance which is discretionary under s.160(2). 


The current RAP was published on 7 November 2018 and since its introduction 
several matters have come to light which would merit re-consideration and 
review. 


Discussion: 


A short non-exhaustive list of matters which merit review and reconsideration 
in the current RAP is as follows: 


1. The GDPR fining model on page 27, in particular more detailed guidance 
on how exactly the amount of any penalty will be arrived at 

2. How we use our assessment notice powers and their link to formal 
enforcement action 

3. Correcting/clarifying an apparent typo at the bottom of page 18, which 
suggests we do require access to legal privileged information 

4. How we refer to the regulatory panel at page 26, how that panel should 
function and when it should be used. 

5. Removing the discretionary element of the fixed penalty fining regime 
following the decision of Siddiqui v IC at the FTT, see page 28. 


The RAP makes it clear that it will be kept under review and regularly 
evaluated to reflect any amendments to legislation, “including any 
implementation of an updated e-privacy Regulation, and once the final 
settlement between the UK and post-Brexit is confirmed.” 


All of the above points are of importance and require further consideration and 
resolution. Given that the legal and regulatory landscape post Brexit transition 
period remains in certain respects unclear it may well be that further revision 
of the RAP would be required after that date. 


Points in Detail: 


(1) GDPR fining model 
Under the Old Law (DPA98) the maximum penalty was £500,000 no 
matter the size of the recipient company or the seriousness of the 
breach. Under current law the maximum penalty is 20 million Euros 
(or equivalent in sterling) or 4% of the total annual worldwide 
turnover in the preceding financial year, whichever is higher. Under 
the Old Law the ICO adopted and successfully used a banded model 
where the available amount of financial penalty was split into five 
bands. There is currently no such corresponding model and the 
current version of the RAP does not clarify or assist in determining 
how the ICO will arrive at an amount except in general terms. This 
risks our enforcement action being criticised and challenged as 


(2) 


(3) 


(4) 


(5) 


arbitrary, opaque, and unfair. We consider resolving this position to 
be the most urgent of the issues currently arising in respect of the 
RAP. 


Assessment Notice Powers 


As noted above Assessment notices are included in the list of 
mandatory guidance topics under s.160(1) and on the face of it 
therefore are equally serious powers in their application and 
consequences. Given that these are, effectively, new powers under 
the DPA18 the teams utilising these powers have realised there needs 
to be a more rigorous framework about when we deploy those powers 
and how we make and document those decisions. This thinking would 
benefit from being included in any revised RAP. 


Access to Privileged Material 


Section 143(3) DPA18 (Information Notices) and s.147(3) 
(Assessment Notices) makes clear that such notices cannot require 
the production of legally privileged material and therefore that a 
request for such material is a nullity. Concerns have been expressed 
that in certain cases the recipient of a notice could assert that 
material is privileged and there is no obvious way for the ICO to check 
or corroborate that assertion. How to resolve that concern is a matter 
for further discussion but the RAP as currently drafted will have to be 
amended to reflect the clear letter of the law. 


The Regulatory Panel 


At the time the RAP was developed and implemented the details of 
the Regulatory Panel had not been fleshed out fully. Seeking to do so 
and then seeking to apply the model to real life cases has produced 
several concerns and questions about how the Panel would work in 
practice. For example, should it meet before or after any Article 60 
referral, should it report to the Commissioner or to the decision maker 
with delegated authority, in which types of cases should it be 
convened and how should that decision be made. 


Fixed Penalty Fines amounts 


A recent case before the Tribunal has strongly advised that the 
current position should be amended as there is uncertainty as to how 
the model in the RAP should apply and the intention of there being a 
fixed fines model is that there should be no uncertainty in how the 
amount of any fine is calculated. Whilst the advice of the Tribunal is 
technically not binding the view is that it would be prudent to revise 


the RAP to take account of that advice and remove the extra 
discretionary amount currently included for lack of co-operation. 


Timing and sequencing of work: 


There is a tension therefore between the desire to resolve matters which are of 
immediate concern urgently and to wait until the political and legal position is 
clearer post December 2020. 


Of the points above the fining model is of most pressing concern given that 
there are live cases ongoing which require penalties to be decided upon and 
imposed on a regular basis; indeed, post GDPR monetary penalties have 
already been imposed under this version of the RAP 


It could therefore be decided to conduct a light touch review of the RAP for the 
time being, on the understanding that we will have to review it again when the 
regulatory landscape becomes clearer, with the primary aim of clarifying the 
GDPR fining model as a matter of urgency with a view to getting the RAP out 
for consultation as soon as possible. 


Questions/Topics for discussion: 


e What is Management Board’s view as to the points of concern raised and 
their hierarchy of risk 

e What is Management Board’s view as to timing and sequencing of work 
balancing the need for prompt resolution of issues against the current 
uncertainty around the political and legal position during the transition 
period 

e What is Management Board’s view more generally (a) as to whether the 
RAP should seek to be narrowly construed in line with the strict statutory 
obligations under s.160(1) or should include other discretionary elements 
as per 160(2) and, (b) if the latter should those elements be included in 
one document or be divided into separate documents. 


Author: James Moss 


Consultees: James Dipple Johnstone, Cathy Bamford 


Appendix 2 


Updated Regulatory Posture document July 2020 - IN DRAFT final content tbc prior to 
publication 


The ICO’s regulatory approach during the coronavirus 
public health emergency 


Our role as an independent regulator is to act in the public interest, and 
our approach has always been to be a pragmatic and proportionate 
regulator. 


The coronavirus public health emergency means that we must reassess 
our priorities and our own resourcing, so that we retain the right balance 
in these challenging times, focusing on those areas likely to cause the 
greatest public harm. 


This paper sets out how we will regulate during the current public health 
emergency, focusing in particular on data protection and freedom of 
information laws. 


Background: 


These are exceptional times in the nation’s history. Parliament and 
government have enacted emergency legislation and there have been 
significant impacts on services across government, public bodies, and 
businesses. 


In particular, the current coronavirus public health emergency means 
that: 


e organisations are facing staff and operating capacity shortages: 

e asmall number of health, local and central government, charities, 
and law enforcement public authorities continue to face front-line 
pressures and are re- deploying resources to meet those demands; 
and, 

e organisations are facing acute financial pressures impacting their 
finances and cashflows. 


As a public authority, we must act in a manner which takes into account 
these circumstances. This includes deciding how we exercise our 
enforcement powers, how we deliver technical advice and guidance to 
public and private sector organisations, how we continue to support 
transparency in public decision making and how we support the public in 
dealing with their complaints and queries. We acknowledge the important 
role that people’s information rights will continue to have, both around 
privacy protections and transparency around decision making by public 
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bodies. 


The law gives us flexibility around how we carry out our regulatory role, 
which allows us to recognise and engage with the unique challenges the 
country is facing. For example, data protection laws contain checks and 
balances to ensure that personal information can flow and be effectively 
utilised for healthcare. Similarly, there are appropriate and proportionate 
safeguards for individual’s personal information that also allow for a 
recognition of the public interest, for instance in the use of apps, research 
projects and digital tools that rely on large personal data sets. 


There are specific legal requirements which apply to particular work we do 
and decisions we make. For example, we are required by law to deal with 
complaints by the public appropriately, and when we take enforcement 
action there are specific criteria we must take into account. We recognise, 
however, that the current reduction in organisations’ resources could 
impact their ability to comply with aspects of the law. 


We are committed to an empathetic and pragmatic approach, and will 
demonstrate this through our actions: 


e We will continue to recognise the rights and protections granted to 
people by the law, both around their personal information and their 
right to freedom of information. 


e We will focus our efforts on the most serious challenges and 
greatest threats to the public. 


e We will assist frontline organisations in providing advice and 
guidance on data protection laws. 


e We will take firm action against those looking to exploit the public 
health emergency through nuisance calls or by misusing personal 
information. 


e We will be flexible in our approach, taking into account the impact 
of the potential economic or resource burden our actions could 
place on organisations. 


e We will be ready to provide maximum support for business and 
public authorities as they recover from the public health emergency. 


Engagement with the public and organisations: 


We are committed to supporting organisations through this period, 
reflecting the challenges they face. In particular, we acknowledge our role 
in supporting frontline organisations that provide healthcare or other vital 
services. 


1. We will identify and fast track advice, guidance, or tools that public 
authorities and businesses tell us would help them deal with, or 
recover from, the crisis. 


2. We will review the economic and resource impact of any new 
guidance. We will delay any specific guidance that could impose a 
burden that diverts staff from frontline duties, except where it is 
needed to address a high risk to the public. 


3. We will provide practical support to the public as to how to understand 
and exercise their information rights during this crisis. This could 
mean that individuals are advised to wait longer than usual and ‘bear 
with’ organisations. 


4. When handling the public’s complaints about organisations, our 
approach will take into account the impact of the crisis. This may 
mean we resolve the complaint without contacting an organisation, 
for example if it is focussing its resources on the coronavirus frontline, 
or that we give it longer than usual to respond or to rectify any 
breaches associated with delay if it is recovering its service and 
gradually improving timescales. 


5. We will look to develop further regulatory measures that are ready to 
use at the end of the crisis. These would support economic growth 
and recovery including advice services, sandboxes, codes, and 
international transfer mechanisms to test flexibility in safe data use. 


Regulatory action: 


The ICO has a Regulatory Action Policy which provides guidance as to our 
approach to regulatory investigations and enforcement action. 


As set out in the policy, the ICO will continue to act proportionately, 
balancing the benefit to the public of taking regulatory action against the 
potential detrimental effect of doing so, taking into account the particular 
challenges being faced at this time. 


1. Organisations should continue to report personal data breaches to us, 
without undue delay. This should be within 72 hours of the 
organisation becoming aware of the breach, though we acknowledge 
that the current crisis may impact this. We will assess these reports, 
taking an appropriately empathetic and proportionate approach. 


2. When we conduct investigations, we will act knowing there is a public 
health emergency and seek to understand the individual challenges 
faced by organisations. We will take into account the particular impact 
of the crisis on that organisation. This may mean less use of formal 
powers that require organisations to provide us with evidence, 


and allowing longer periods to respond. We also expect to conduct 
fewer investigations, focussing our attention on those circumstances 
which suggest serious non-compliance. 


3. We will take a strong regulatory approach against any organisation 
breaching data protection laws to take advantage ofthe current crisis. 


4. We will undertake some risk-based audit work on an offsite basis 
recognising the travel and contact restrictions that remain in force. 


5. In deciding whether to take formal regulatory action, including 
issuing fines, we will take into account whether the organisation’s 
difficulties result from the crisis, and if it has plans to put things right 
at the end of the crisis. We may give organisations longer than usual 
to rectify any breaches that predate the crisis, where the crisis 
impacts the organisation’s ability to take steps to put things right. 


6. All formal regulatory action in connection with outstanding 
information request backlogs will be suspended. 


7. As set out in the Regulatory Action Policy, before issuing fines we 
take into account the economic impact and affordability. In current 
circumstances, this is likely to mean the level of fines reduces. 


8. We may not enforce against organisations who fail to pay or renew 
their data protection fee, if they can evidence that this is specifically 
due to economic reasons linked to the present situation, and provided 
we are adequately assured as to the timescale within which payment 
will be made. 


9. We will recognise that the reduction in organisations’ resources 
could impact their ability to respond to Subject Access Requests, 
where they need to prioritise other work due to the current crisis. 
We can take this into account when considering whether to impose 
any formal enforcement action. 


Freedom of Information Act and Environmental Information 
Regulations: 


This unique crisis has required quick decision making and innovative uses 
of data, including geolocation and geospatial information. There has been, 
and will continue to be, intense public interest in understanding how and 
why decisions were taken and how information was used. 


We will take an empathetic and pragmatic approach to our role 
regulating access to information regulation, recognising the 
importance of transparency, especially where people have seen 
their civil liberties impacted. 


We recognise that the reduction in organisations’ resources could 
impact their ability to comply with aspects of freedom of information 
law, such as how quickly FOI requests are handled, but we expect 
appropriate measures to still be taken to record decision making, so 
that information is available at the conclusion of the emergency. We 
do not expect this will impact on the ability to take and progress 
actions that are necessary. 


1. We will continue to accept new information access 
complaints. We will take a pragmatic approach to resolving 
these complaints, keeping engagement with the public 
authority to a minimum and being guided by them as to 
whether they are able to respond to our requests or require 
more time to do so. 


2. We will recognise that the reduction in organisations’ 
resources could impact their ability to respond to access 
requests or address backlogs, where they need to prioritise 
other work due to the current crisis. Organisations should 
recognise the public interest in transparency and seek as far 
as possible to continue to comply with their obligations for 
particularly high-risk or high-profile matters. 


3. We understand that there have been extreme 
circumstances where public authorities have had no 
option but to temporarily reduce or suspend elements of 
their information access function. As the pandemic 
emergency response continues to ease, we expect public 
authorities to reinstate all aspects of their information 
access function, ensuring that where necessary they have 
recovery plans in place. 


4. We encourage public authorities to proactively publish 


information they know will be of importance to their 
communities. 


5. We will continue to emphasise and support the importance of 
proper record keeping during a period of time that will be 
subject to future public scrutiny. 


Conclusion: 


With the correct application of flexibility in regulatory response, we 
do not consider that any of the legislation we oversee should prevent 
organisations taking the steps they need to in order to keepthe public 
safe and supported during the present public health emergency. 
There is plenty of flexibility built into the legislation for organisations 
to use in such times, including some specific public health related 
exemptions. 


